W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2021

Re: [EXTERNAL] Re: Creating a note track for Strict CSP

From: Jun Kokatsu <Jun.Kokatsu@microsoft.com>
Date: Mon, 25 Oct 2021 19:53:39 +0000
To: "mike@mikewest.org" <mike@mikewest.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: "lwe@google.com" <lwe@google.com>
Message-ID: <MN2PR00MB0704C6D3B7EB2474E4BA622AE2839@MN2PR00MB0704.namprd00.prod.outlook.com>
> I think it's pretty reasonable to add recommendations like this directly to CSP's "Authoring Considerations" section instead

That sounds good as well. However, when talking about Strict CSP, we probably want to mention about Nonce-only CSP (without 'strict-dynamic') as well. And if so, we probably want to mention about how to pass nonce to libraries too. And it seemed to be like it'll be longer than few paragraphs. But we can just stick to Strict CSP for now and just mention that "removing 'strict-dynamic' is more secure" too. Either way works for me 🙂

> I wonder if others would be interested in that as well?

I'm interested in this 🙂 However, there are mixed opinion within the WG about Trusted Types, so I'd like that to settle before making [SecureContext=Injection] a thing.


Thanks,

Jun

________________________________
From: Mike West <mike@mikewest.org>
Sent: Saturday, October 23, 2021 2:43 AM
To: public-webappsec@w3.org <public-webappsec@w3.org>
Cc: lwe@google.com <lwe@google.com>; Jun Kokatsu <Jun.Kokatsu@microsoft.com>
Subject: [EXTERNAL] Re: Creating a note track for Strict CSP

Hey Jun!

I agree that this would be valuable, but I'm not sure that a separate Note-track document is the right path: I think it's pretty reasonable to add recommendations like this directly to CSP's "Authoring Considerations" section instead, as a more direct indication of the ways in which CSP can be securely deployed. Perhaps you could work with Lukas Weichselbaum to condense https://web.dev/strict-csp/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fweb.dev%2Fstrict-csp%2F&data=04%7C01%7CJun.Kokatsu%40microsoft.com%7C044bf6a095364eceb54d08d99609d58f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637705791855504833%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SQ40VKngL%2BFFLPJkFKDwFUrKVTdQQnFW0xuB%2FIKWhT4%3D&reserved=0> into a few paragraphs? I'd happily review such a PR.

Tangentially, I'd also like https://github.com/mikewest/securer-contexts#what-defenses-would-securecontextinjection-require<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmikewest%2Fsecurer-contexts%23what-defenses-would-securecontextinjection-require&data=04%7C01%7CJun.Kokatsu%40microsoft.com%7C044bf6a095364eceb54d08d99609d58f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637705791855514788%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ML9sg1GKjmfnHjPC000hc7PlP1rMwuPum2Nd%2FjaUPZM%3D&reserved=0> to eventually become a thing (though not with the spelling proposed there), which would require/create a normative definition of a subset of CSP that could impact the availability of certain APIs, just as [CrossOriginIsolated<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwebidl.spec.whatwg.org%2F%23CrossOriginIsolated&data=04%7C01%7CJun.Kokatsu%40microsoft.com%7C044bf6a095364eceb54d08d99609d58f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637705791855514788%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=i%2Feiy57Fru2ddJpwEC2deM6AfyeXq%2F11HKuZ%2Bm4QV1Y%3D&reserved=0>] does today. I wonder if others would be interested in that as well?

-mike

On Fri, Oct 22, 2021 at 9:55 PM Jun Kokatsu <Jun.Kokatsu@microsoft.com<mailto:Jun.Kokatsu@microsoft.com>> wrote:
Hi All,

While advocating internally within Microsoft about Strict CSP<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fweb.dev%2Fstrict-csp%2F&data=04%7C01%7CJun.Kokatsu%40microsoft.com%7C044bf6a095364eceb54d08d99609d58f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637705791855524743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Q0m06txwOwCqvx8pfAJl2KQac%2FWMo%2BKnbOqO3iUU3XM%3D&reserved=0>, I've got the following words 🙂

We talked to a security person within our org to try to better understand what are the implications of adding “Strict CSP” to XYZ. However, quoting our sec expert it seems like “"Strict CSP" is an informal term used by people from industry, I don't recall seeing it in the standard”.

While I was little frustrated, I do think this person also has a point that Strict CSP has mostly been talked by Google (though probably it's deployed to some other sites<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmitigation.supply%2F&data=04%7C01%7CJun.Kokatsu%40microsoft.com%7C044bf6a095364eceb54d08d99609d58f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637705791855524743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=g5%2FKOk5OZMdSBPuqLoVa1tgyCUj9OWhQ0ebS%2BfdzAi0%3D&reserved=0> too).

I wonder if we can create a note track about Strict CSP (just like Post-Spectre Web Development<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fpost-spectre-webdev%2F&data=04%7C01%7CJun.Kokatsu%40microsoft.com%7C044bf6a095364eceb54d08d99609d58f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637705791855534700%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SCwtttxq8EF8cDHiQXX53agvYIbIUI1ZWr%2B190j7HgY%3D&reserved=0>), assuming people agree that Strict CSP is something that can be recommended by WebAppSec WG.

Please let me know what you all think 🙂

Thanks,

Jun
Received on Monday, 25 October 2021 19:53:57 UTC

This archive was generated by hypermail 2.4.0 : Monday, 25 October 2021 19:54:01 UTC